06-29-2011 07:57 AM - edited 03-11-2019 01:52 PM
Hi,
I have a newly setup ASA5505 running 8.0, with remote access (anyconnect) working
The clients can reach LAN, and vice versa.
I'm trying to figure out how the h*ck the nat is built, Ive even set all incoming and outgoing traffic to permited but with no luck.
With iptables in Linux, I would simply say "all traffic that leaves interface outside should be translated", something like this:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE.
I've tried every possible combination in ASA with no luck. Can you spot an obvious problem?
While pinging 8.8.8.8 for example, I see this in the log:
6 | Jun 29 2011 | 07:41:16 | 302021 | 172.16.31.1 | 1024 | 8.8.8.8 | 0 | Teardown ICMP connection for faddr 172.16.31.1/1024 gaddr 8.8.8.8/0 laddr 8.8.8.8/0 (user) |
My config is as follows:
name 172.16.31.0 vpn-clientz description vpn clients
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.249 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.94 255.255.255.252
!
access-list vpn-clients remark tunnel all traffic
access-list vpn-clients standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 vpn-clientz 255.255.255.0
access-list outside_access_out extended permit ip any any log disable
access-list outside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_out extended permit ip any any log disable
ip local pool vpn-clients 172.16.31.1-172.16.31.20 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 sol-vpn-clientz 255.255.255.0
Solved! Go to Solution.
07-08-2011 03:42 PM
Are you looking to nat the VPN clients when going out to the internet through the ASA? If that's the case, you need something like this:
nat (outside) 1 172.16.31.0 255.255.255.0
same-security permit intra-interface
and also remove split-tunnelling from the configuration completely.
Hope this helps!!
Regards,
Prapanch
06-29-2011 11:16 AM
What is it that you want to NAT? The VPN clients? The inside network? Are you doing split tunnel on the group policy for the Anyconnect or you have tunnel all and want to provide internet access to the Anyconnect clients via the ASA?
Let me know.
Mike
06-29-2011 11:18 PM
Sorry for being unclear.
I want to source nat the vpn clients when going any direction BUT 192.168.0.0/16. I believe the split-tunneling do work at the moment:
group-policy somevpn internal
group-policy somevpn attributes
dns-server value 192.168.0.2 192.168.10.2
vpn-tunnel-protocol svc
split-tunnel-network-list value admins
address-pools value vpn-clients
access-list admins standard permit 192.168.0.0 255.255.255.0
07-05-2011 02:18 AM
Hey,
Any clues what might be wrong?
07-08-2011 03:42 PM
Are you looking to nat the VPN clients when going out to the internet through the ASA? If that's the case, you need something like this:
nat (outside) 1 172.16.31.0 255.255.255.0
same-security permit intra-interface
and also remove split-tunnelling from the configuration completely.
Hope this helps!!
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide